Computer security expert claims it took him just 90 seconds to exploit
security flaw in the Metropolitan Police’s website

A computer security expert took less than two minutes to exploit an “embarrassing” flaw in the Metropolitan Police’s website, which he claims could have left computer users vulnerable to malicious attacks.

Ilia Kolochenko, a consultant who is employed by companies to find weaknesses in their systems, said it took just 90 seconds to find a vulnerability which allowed him to create a fake page under the Met’s domain name.

A malicious hacker could have exploited this to create a page asking members of the public for personal information, or one injecting malware, which would have been impossible to distinguish from a genuine police link.

“I couldn’t access the Met’s police database, but I could very easily create a new link for the site,” the 27-year-old said.

“From there, you ask someone to enter their details, or pay a fine, and because it’s the police site people will believe it. You can even say that somebody is under investigation.”

He added: “I’ve been doing hacks since I was 15 years old so this one was not difficult.”

Mr Kolochenko left a message announcing “Barak [sic] Obama is wanted by UK police. Dead or alive” on one page, which has since been removed.

Last year Mr Kolochenko, who is the CEO of Geneva-based security company High-Tech Bridge, exposed a similar flawin the website of the American stock exchange NASDAQ.

Graham Cluley, an independent security expert, explained many websites were vulnerable to attacks of this kind but said it was particularly embarrassing the Met had found itself a potential target.

“A typical way in which [weaknesses like this] can be used by malicious cybercriminals is to display a bogus login page. Any user IDs or passwords that are entered go straight to a web server run by the hackers, rather than the real site,” he said.

“One would hope that organisations like the Met Police would have tested their website for vulnerabilities, and ensured that they have kept up-to-date with the updating of their server software to reduce the opportunities for embarrassing attacks like this to take place.”

He added: “Let’s hope the only people to exploit the flaw have been legitimate security researchers rather than the bad guys”.

The Met said it had found evidence of a hacking attempt but that the weakness had now been addressed.

"After an initial investigation, evidence of a minor hacking attempt was found on the Met Police public-facing website,” a spokesman said.

“Counter measures were swiftly put in place to prevent any further attempts to add hacked messages to our public-facing website.

"The MPS has robust security arrangements in place to ensure the integrity of our internal systems.

“We have assessed that at no time would any such attack aimed at our public-facing website put any of our critical operational systems or service to the public at risk.

"Like all organisations with a web presence, we continue to remain vigilant of these types of cyber attacks.”